1 | L IFE SCIENCES

Compliance Effectiveness Review: What’s a Board to Do?

Healthcare and life sciences companies face increasing Federal government investigation and enforcement of alleged fraud and misconduct. Three stat-utes have in particular enhanced the arsenal of government prosecutors:

» 2009 Fraud Enforcement and Recovery Act (FERA), which greatly expanded the grounds for liability under the False Claims Act

» 2010 Patient Protection and Affordable Care Act (PPACA), which dramatically increased the Federal sentencing guidelines for monetary penalties associated with healthcare fraud offenses

» 2010 Dodd-Frank Act and related final 2011 version, which enhanced and reinforced whistleblower incentives to reward employees and third parties who report violations.

All three statutes blur the line between willful fraud and mistakes or lack of oversight, and directly implicate the compliance oversight responsibility of company Boards of Directors and leadership.

Corporate Integrity Agreements (CIA) are the number one mechanism for government enforcement of compliance requirements for companies and their Boards, and Board members. These detailed and restrictive programs are imposed on healthcare and life sciences companies by the Office of Inspec-tor General, Health and Human Services (OIG) when serious fraud, abuse or other misconduct is documented through an investigation or self-disclosure. In addition to remedial steps to address conduct that led to the settlement, CIAs usually require a targeted compliance review performed by an Independent Review Organization (IRO), and on occasion, the appointment of a Board-lev-el compliance expert to conduct an independent Compliance Effectiveness Review on behalf of the Board.

Guidelines and Responsibilities

The steps to development and implementation of an effective compliance program do not take place in a compliance vacuum. The Federal Sentenc-ing Guidelines that apply to all organizations convicted of Federal crimes specify that compliance programs can be considered as mitigating factors for reduced sentences, if they are designed, implemented and enforced with appropriate due diligence to prevent and detect criminal conduct. A well-designed compliance and ethics program is however, only half the picture. Critical to its success are its ability to meet the challenges of constant change, increasing complexity, rapidly evolving threats, and the need for continuous improvement. This requires a commitment by senior executives and the Board, reflected in appropriate compliance funding, oversight, measurement and re-porting, coupled with organization-wide compliance training. The compliance program needs to be seen as an asset to the company.

AUTHORS »

Saul B. Helman, M.D. Navigant Market Segment Leader Life Sciences Disputes, Compliance and Investigations 317.294.1228 saul.helman@navigant.com

Richard Eschle Senior Director, Compliance Eisai Inc.

navigant.com

2 | L IFE SCIENCES

This concept of continuous evolution of the compliance program is captured well in both the 2010 amendments to the Federal Sentencing Guidelines and the OIG guid-ance for pharmaceutical manufacturers and incorporat-ed in a basic governance guide on corporate responsibil-ity and corporate compliance: Corporate Responsibility and Corporate Compliance: Resource for Health Care Boards of Directors. The guide was developed by the OIG and the American Health Lawyers Association (AHLA). In conjunction with the Federal Sentencing Guideline amendments, it details many of the expectations for the compliance responsibilities of every Board member.

The Federal Sentencing Guidelines were updated in 2010 to reflect the expectations of the PPACA and they detail the requirements for independent testing of an organi-zational compliance program. The role of the Board of Directors in terms of oversight and governance in the context of a corporate compliance program is detailed in the OIG Guidance for pharmaceutical manufacturers. This guidance incorporates the primary components re-lated to an effective compliance program, which are:

1. The OIG believes that every life sciences company compliance program must begin with a formal commitment by the company’s Board of Directors or other governing body.

2. The OIG expects that a Chief Compliance Officer will have authority to report directly to the Board of Directors or the president or CEO.

3. The OIG strongly encourages the participation and involvement of the pharmaceutical manufacturer’s Board of Directors, CEO, president, members of senior management, and other personnel from various levels of the organizational structure in the development of all aspects of the compliance program, especially a foundational code of conduct.

Structural and Operational Concerns

The basic fiduciary duty of care principle, which requires a director to act in good faith with the care an ordinarily prudent person would exercise under similar circumstanc-es, is being tested in the current climate of heightened corporate responsibility and government enforcement

action. The concept of personal liability for Directors, in-cluding removal and civil damages, as well as damage to reputation, was highlighted in the Caremark case of 1996. Each Director must have a basic understanding of the director’s fiduciary obligations and how the duty of care may be exercised in overseeing the company’s compliance systems. Embedded within the duty of care is the concept of reasonable inquiry. Directors must make inquiries to organizational leadership to obtain informa-tion necessary to ensure that the compliance program is indeed effective. The need for an independent inquiry is further reinforced through recent updates to the Federal Sentencing Guidelines, recent CIA requirements and the PhRMA Code.

The OIG guidance divides this type of inquiry into structur-al and operational issues. Examples of structural questions for the Board include:

» How is the compliance program structured and who are the key employees responsible for its implementation and operation?

» How is the Board structured to oversee compliance issues?

» How does the organization’s compliance reporting system work?

» How frequently does the Board receive reports about compliance issues?

By contrast, the Board’s compliance inquiry should en-compass these operational concerns:

» How does the Board keep apprised of significant regulatory and industry developments affecting the organization’s risk?

» How is the compliance program structured to address such risks?

» How are “at risk” operations assessed from a compliance perspective?

» Is conformance with the organization’s compliance program periodically evaluated?

» Does the organization periodically evaluate the effectiveness of the compliance program?

3 | L IFE SCIENCES

Board’s Role

The requirement for individual accountability of Board members reinforces the duty of care principle and has been further reinforced through the PPACA and the Federal Sentencing Guidelines. The FERA in 2009 and the PPACA in 2010 specifically heightened the potential for individual Board member compliance accountability. CIAs also play a major role in establishing and expanding personal Board member responsibility. As mentioned earlier, some CIAs specifically require that an independent Board-appointed compliance expert be retained to complete the compliance program effectiveness review. In 2010, companies such as Forest Laboratories, Synthes, Novartis and Elan faced such a requirement. Many other Boards have opted for an independent review on their own without that specific requirement in their CIA. Either way, the Board needs to ensure that there is an effective compliance program in place, established through appropriate due diligence, and reinforced through their governance and oversight.

Despite all these concerns, guidances and requirements, there is no explicit description of what a compliance ef-fectiveness review should look like. Experience suggests, however, that a basic approach to a compliance effec-tiveness review, one which will meet the individual Board member’s fiduciary responsibility and government re-quirements, will reflect the seven core elements of a com-pliance program. The most important of these, as alluded to earlier, encompass hiring a compliance officer to work with a compliance committee, developing written com-pliance standards, implementing comprehensive em-ployee compliance training, establishing a confidential disclosure program, maintaining regular compliance re-view (auditing and monitoring) and reporting to the com-pany Compliance Committee and Board of Directors all of which reinforce the ‘detect’ aspect of the compliance program. In addition, having a structured disciplinary pro-cess and disciplinary guidelines, coupled with an active investigation and corrective action process reinforces

the ‘prevent’ aspect of the program. Finally, taking a risk based approach to evaluating the compliance controls within the organization supports a rational focus, support-ing other assurance activities that might be evaluating the program, e.g. compliance monitoring and auditing, investigations, internal audit, and IRO reviews if relevant.

Within two to three reviews of a compliance program, es-pecially reviews associated with a CIA, the focus shifts to include a review of the sustainability of the Compliance Program. Key indicators of sustainability are:

» The Compliance Program being fully integrated into the business

» The Compliance Program ‘owned’ by the business » The Compliance Department acting as business

advisor and overseer of the programSuch elements create the framework for the Board to ask and answer the essential structural and operational questions to determine the effectiveness of the compli-ance program. They support a risk-based deep dive into control procedures maintained by compliance officials throughout the organization. This organizational aspect is crucial to transforming compliance into a matter of organization-wide consistency. It supports a transforma-tion in which the compliance program is owned by the company’s senior and line management, and becomes integrated with the entire culture of the organization.

In such a context, compliance is no longer viewed as a function of the “compliance department” but rather, as a comprehensive program directed from the top, begin-ning with Board of Director oversight. This is as it should be, because the OIG has explicitly stated that “the role played by healthcare organizations’ Boards of Directors is a key component of an effective compliance program.” A life sciences company Board’s commitment to compli-ance and effective compliance oversight must be abso-lute. Anything less puts the company – and the individual Board member – at extreme legal risk.

4 | L IFE SCIENCES

© 2013 Navigant Consulting, Inc. All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services.See www.navigant.com/licensing for a complete listing of private investigator licenses.

Beyond the Board

An investment into an independent review of the effec-tiveness of the compliance program can be significant, and it is crucial that the compliance department secures valuable insights throughout the process.

The first such review will provide the compliance depart-ment with a foundational understanding of the Compli-ance Program, across the seven elements of compli-ance, as described by the OIG and Federal Sentencing Guidelines. This provides the base-line from where the evolution of the program can be measured. This first re-view can also be leveraged to meet PhRMA guidance on completing an independent review of the Compli-ance Program in the context of PhRMA requirements.

This Compliance Program “meta-analysis” provides a review of the program design and mission, and identifies areas of opportunity for reinforcement and/or improvement.

Following the results of this first review, the compliance department should work with the reviewer to identify better practices and implementation considerations, to ensure that any management response is aligned with the overall philosophy of having an effective program in place. Testing ideas, exploring alternative approaches and alignment with future plans can then be achieved at the company Compliance Committee, reinforcing own-ership of the program by the business.

Subsequent compliance effectiveness reviews should:

» Confirm implementation or reinforcement of compliance controls, and the effectiveness of these controls

» Confirm maintenance and evolution across the seven elements, and

» Explore additional areas of risk

Addition value derived from compliance effectiveness reviews include:

» Qualitative enhancements » Consistency throughout the organization » Continuity across the organization

Qualitative enhancements include ensuring a rational program design in response to the regulatory environ-ment and ethical considerations. Overall program design should examine elements such as policy, implementing procedures, training and control points. Consistency and continuity ensure a stable internal compliance environ-ment that fosters ownership of compliance and confident informed decision making throughout the business.